otkits: Subverting the Windows Kernel
http://www.amazon.com/exec/obidos/redirect?link_code=ur2&camp=1789&tag=rootk
it-20&creative=9325&path=tg/detail/-/0321294319/qid=1117165919/sr=8-6/ref=sr
_8_xs_ap_i6_xgl14?v=glance%26s=books%26n=507846
The lack of existence of a definitive book on rootkits led Greg Hoglund and
I to author a one that we believe will fill the void. Much in the same way
as the Shellcoders Handbook and Exploiting Software did for the field of
vulnerability discovery and exploitation. The book covers the subject matter
in-depth going as far as to answering a number of questions posed over time
on the forums at rootkit.com. Such as:
- Hooking the system call table
- Circumventing memory protections
- Hooking the Interrupt Descriptor Table (IDT)
- Hooking the SYSENTER instruction.
- Covert communications
- Interacting with hardware
Our book doesn't answer these questions with theory. Instead, we use hard
hitting functional code examples that can be compiled and used "off the
shelf".
Readers who aren't new to rootkits and hooking should still enjoy the
section on hooking user land processes from the kernel utilizing a method
that does not require calls to OpenProcess(), VirtualProtectEx(),
WriteVirtualMemory() etc. Ever curious about how DKOM and the FU rootkit
really work? See Chapter 7 that provides the complete play by play. Included
in the DKOM chapter you will find a section on synchronization. Yes, that's
right - information is provided allowing one to modify shared data
structures in a multiple CPU safe manner without trying to find unexported
spinlocks and mutexes.
Want to hide local network ports? Complete source code is detailed and
included in a section on hooking. It describes the structures TCPIP.SYS uses
and how to alter them such as to confuse netstat and similar programs.
If you're still not totally convinced that rootkits may need to be put on
the agenda for your next meeting with the CIO or CTO of your company then
consider the following. What happens once an attacker has popped a box?
Either using a product like Canvas, Core Impact, or using a free tool like
Metasploit? More and more focus has been put into getting into the kernel
after exploiting a system service. Remember Barnaby Jack's paper? If you
think your CIO or CTO will respond with, "Well we have a great IDS and run
HIPS on our exposed machines.", consider this: There are no signatures
currently for kernel shellcode and even if there were bypassing an IDS is
much like going through airport security (don't look suspicious). Most HIPS
products do not completely protect you from kernel infection.
Last but not least are chapters on network communication from the kernel,
hardware interaction, and rootkit detection. For the complete context, read
on.
Rootkits: Subverting the Windows Kernel
http://www.amazon.com/exec/obidos/redirect?link_code=ur2&camp=1789&tag=rootk
it-20&creative=9325&path=tg/detail/-/0321294319/qid=1117165919/sr=8-6/ref=sr
_8_xs_ap_i6_xgl14?v=glance%26s=books%26n=507846
Preface xv
Acknowledgments xix
About the Authors xxi
1 Leave No Trace 1
Understanding Attackers' Motives 2
The Role of Stealth 2
When Stealth Doesn't Matter 3
What Is a Rootkit? 4
Why Do Rootkits Exist? 4
Remote Command And Control 5
Software Eavesdropping 5
Legitimate Uses of Rootkits 6
How Long Have Rootkits Been Around? 7
How Do Rootkits Work? 8
Patching 8
Easter Eggs 9
Spyware Modifications 9
Source-Code Modification 9
The Legality of Software Modification 10
What a Rootkit Is Not 10
A Rootkit Is Not an Exploit 11
A Rootkit Is Not a Virus 11
Rootkits and Software Exploits 13
Why Exploits Are Still a Problem 15
Offensive Rootkit Technologies 17
HIPS 17
NIDS 17
Bypassing the IDS/IPS 18
Bypassing Forensic Tools 18
Conclusion 20
2 Subverting the Kernel 21
Important Kernel Components 22
Rootkit Design 23
Introducing Code into the Kernel 25
Building the Windows Device Driver 26
The Device Driver Development Kit 27
The Build Environments 27
The Files 27
Running the Build Utility 29
The Unload Routine 30
Loading and Unloading the Driver 30
Logging the Debug Statements 31
Fusion Rootkits: Bridging User and Kernel Modes 32
I/O Request Packets 33
Creating a File Handle 37
Adding a Symbolic Link 38
Loading the Rootkit 39
The Quick-and-Dirty Way to Load a Driver 40
The Right Way to Load a Driver 41
Decompressing the .Sys File from a Resource 43
Surviving Reboot 46
Conclusion 47
3 The Hardware Connection 49
Ring Zero 50
Tables, Tables, and More Tables 52
Memory Pages 53
Memory Access Check Details 53
Paging and Address Translation 55
Page-Table Lookups 56
The Page-Directory Entry 58
The Page-Table Entry 59
Read-Only Access to Some Important Tables 59
Multiple Processes, Multiple Page Directories 59
Processes and Threads 60
The Memory Descriptor Tables 61
The Global Descriptor Table 61
The Local Descriptor Table 62
Code Segments 62
Call Gates 62
The Interrupt Descriptor Table 62
Other Types of Gates 65
The System Service Descriptor Table 66
The Control Registers 66
Control Register Zero (Cr0) 66
Other Control Registers 67
The Eflags Register 67
Multiprocessor Systems 68
Conclusion 69
4 The Age-Old Art of Hooking 71
Userland hooks 71
Import Address Table Hooking 73
Inline Function Hooking 74
Injecting a DLL into Userland Processes 76
Kernel Hooks 81
Hooking the System Service Descriptor Table 82
Hooking the Interrupt Descriptor Table 91
Hooking the major I/O Request Packet Function Table in the
Device Driver Object 86
A Hybrid Hooking Approach 106
Getting into a Process's Address Space 106
Memory Space for Hooks 111
Conclusion 112
5 Runtime Patching 113
Detour Patching 114
Rerouting the Control Flow using MigBot 115
Checking for Function Bytes 117
Keeping Track of the Overwritten Instructions 118
Using NonPagedPool Memory 121
Runtime Address Fixups 121
Jump Templates 125
The Interrupt Hook Example 126
Variations on the Method 133
Conclusion 133
6 Layered Drivers 134
A Keyboard Sniffer 136
I/O Request Packet (IRP) and Stack Locations 137
The KLOG Rootkit: A Walk-Through 140
File Filter Drivers 153 Conclusion 167
7 Direct Kernel Object Manipulation 169
DKOM Benefits and Drawbacks 169
Determining the Version of the Operating System 171
User-Mode Self-Determination 171
Kernel-Mode Self-Determination 173
Querying the Operating System Version in the Registry 174
Communicating with the Device Driver from Userland 175
Hiding with DKOM 179
Process Hiding 180
Device-Driver Hiding 185
Synchronization Issues 189
Token Privilege and Group Elevation with DKOM 193
Modifying a Process Token 194
Faking out the Windows Event Viewer 208
Conclusion 210
8 Hardware Manipulation 213
Why Hardware? 215
Modifying the Firmware 216
Accessing the Hardware 217
Hardware Addresses 217
Accessing Hardware is not Like Accessing RAM 218
Timing Considerations 219
The I/O Bus 219
Accessing the BIOS 221
Accessing PCI and PCMCIA Devices 221
Example: Accessing the Keyboard Controller 222
The 8259 Keyboard Controller 222
Changing the LED Indicators 222
Hard Reboot 229
Keystroke Monitor 229
How Low Can You Go? Microcode Update 236
Conclusion 237
9 Covert Channels 239
Remote Command, Control, and Exfiltration of Data 240
Disguised TCP/IP Protocols 241
Beware of Traffic Patterns 242
Don't Send Data "in the Clear" 242
Use Time to Your Advantage 243
Hide Under DNS Requests 243
"Stego" on ASCII Payloads 244
Use Other TCP/IP Channels 245
Kernel TCP/IP Support for Your Rootkit Using TDI 246
Build the Address Structure 246
Create a Local Address Object 248
Create a TDI Endpoint with Context 252
Associate an Endpoint with a Local Address 254
Connect to a Remote Server (Send the TCP Handshake) 257
Send Data to a Remote Server 259
Raw Network Manipulation 262
Implementing Raw Sockets on Windows XP 262
Binding to an Interface 263
Sniffing with Raw Sockets 264
Promiscuous Sniffing with Raw Sockets 264
Sending Packets with Raw Sockets 265
Forging the Source 266
Bouncing Packets 266
Kernel TCP/IP Support for Your Rootkit Using NDIS 267
Registering the Protocol 267
The Protocol Driver Callbacks 273
Moving Whole Packets 278
Host Emulation 285
Creating Your MAC Address 286
Handling ARP 286
The IP Gateway 289
Sending a Packet 289
Conclusion 293
10 Rootkit Detection 295
Detecting Presence 295
Guarding the Doors 296
Scanning the "Rooms" 298
Looking for Hooks 298
Detecting Behavior 308
Detecting Hidden Files and Registry Keys 308
Detecting Hidden Processes 309
Conclusion 312
Index 315
P.S. We will be releasing VICE 2.0, using advanced detection algorithms, in
conjunction with or shortly after this book.
<Commercial over. Continue with your day.>
http://www.amazon.com/exec/obidos/redirect?link_code=ur2&camp=1789&tag=rootk
it-20&creative=9325&path=tg/detail/-/0321294319/qid=1117165919/sr=8-6/ref=sr
_8_xs_ap_i6_xgl14?v=glance%26s=books%26n=507846
The lack of existence of a definitive book on rootkits led Greg Hoglund and
I to author a one that we believe will fill the void. Much in the same way
as the Shellcoders Handbook and Exploiting Software did for the field of
vulnerability discovery and exploitation. The book covers the subject matter
in-depth going as far as to answering a number of questions posed over time
on the forums at rootkit.com. Such as:
- Hooking the system call table
- Circumventing memory protections
- Hooking the Interrupt Descriptor Table (IDT)
- Hooking the SYSENTER instruction.
- Covert communications
- Interacting with hardware
Our book doesn't answer these questions with theory. Instead, we use hard
hitting functional code examples that can be compiled and used "off the
shelf".
Readers who aren't new to rootkits and hooking should still enjoy the
section on hooking user land processes from the kernel utilizing a method
that does not require calls to OpenProcess(), VirtualProtectEx(),
WriteVirtualMemory() etc. Ever curious about how DKOM and the FU rootkit
really work? See Chapter 7 that provides the complete play by play. Included
in the DKOM chapter you will find a section on synchronization. Yes, that's
right - information is provided allowing one to modify shared data
structures in a multiple CPU safe manner without trying to find unexported
spinlocks and mutexes.
Want to hide local network ports? Complete source code is detailed and
included in a section on hooking. It describes the structures TCPIP.SYS uses
and how to alter them such as to confuse netstat and similar programs.
If you're still not totally convinced that rootkits may need to be put on
the agenda for your next meeting with the CIO or CTO of your company then
consider the following. What happens once an attacker has popped a box?
Either using a product like Canvas, Core Impact, or using a free tool like
Metasploit? More and more focus has been put into getting into the kernel
after exploiting a system service. Remember Barnaby Jack's paper? If you
think your CIO or CTO will respond with, "Well we have a great IDS and run
HIPS on our exposed machines.", consider this: There are no signatures
currently for kernel shellcode and even if there were bypassing an IDS is
much like going through airport security (don't look suspicious). Most HIPS
products do not completely protect you from kernel infection.
Last but not least are chapters on network communication from the kernel,
hardware interaction, and rootkit detection. For the complete context, read
on.
Rootkits: Subverting the Windows Kernel
http://www.amazon.com/exec/obidos/redirect?link_code=ur2&camp=1789&tag=rootk
it-20&creative=9325&path=tg/detail/-/0321294319/qid=1117165919/sr=8-6/ref=sr
_8_xs_ap_i6_xgl14?v=glance%26s=books%26n=507846
Preface xv
Acknowledgments xix
About the Authors xxi
1 Leave No Trace 1
Understanding Attackers' Motives 2
The Role of Stealth 2
When Stealth Doesn't Matter 3
What Is a Rootkit? 4
Why Do Rootkits Exist? 4
Remote Command And Control 5
Software Eavesdropping 5
Legitimate Uses of Rootkits 6
How Long Have Rootkits Been Around? 7
How Do Rootkits Work? 8
Patching 8
Easter Eggs 9
Spyware Modifications 9
Source-Code Modification 9
The Legality of Software Modification 10
What a Rootkit Is Not 10
A Rootkit Is Not an Exploit 11
A Rootkit Is Not a Virus 11
Rootkits and Software Exploits 13
Why Exploits Are Still a Problem 15
Offensive Rootkit Technologies 17
HIPS 17
NIDS 17
Bypassing the IDS/IPS 18
Bypassing Forensic Tools 18
Conclusion 20
2 Subverting the Kernel 21
Important Kernel Components 22
Rootkit Design 23
Introducing Code into the Kernel 25
Building the Windows Device Driver 26
The Device Driver Development Kit 27
The Build Environments 27
The Files 27
Running the Build Utility 29
The Unload Routine 30
Loading and Unloading the Driver 30
Logging the Debug Statements 31
Fusion Rootkits: Bridging User and Kernel Modes 32
I/O Request Packets 33
Creating a File Handle 37
Adding a Symbolic Link 38
Loading the Rootkit 39
The Quick-and-Dirty Way to Load a Driver 40
The Right Way to Load a Driver 41
Decompressing the .Sys File from a Resource 43
Surviving Reboot 46
Conclusion 47
3 The Hardware Connection 49
Ring Zero 50
Tables, Tables, and More Tables 52
Memory Pages 53
Memory Access Check Details 53
Paging and Address Translation 55
Page-Table Lookups 56
The Page-Directory Entry 58
The Page-Table Entry 59
Read-Only Access to Some Important Tables 59
Multiple Processes, Multiple Page Directories 59
Processes and Threads 60
The Memory Descriptor Tables 61
The Global Descriptor Table 61
The Local Descriptor Table 62
Code Segments 62
Call Gates 62
The Interrupt Descriptor Table 62
Other Types of Gates 65
The System Service Descriptor Table 66
The Control Registers 66
Control Register Zero (Cr0) 66
Other Control Registers 67
The Eflags Register 67
Multiprocessor Systems 68
Conclusion 69
4 The Age-Old Art of Hooking 71
Userland hooks 71
Import Address Table Hooking 73
Inline Function Hooking 74
Injecting a DLL into Userland Processes 76
Kernel Hooks 81
Hooking the System Service Descriptor Table 82
Hooking the Interrupt Descriptor Table 91
Hooking the major I/O Request Packet Function Table in the
Device Driver Object 86
A Hybrid Hooking Approach 106
Getting into a Process's Address Space 106
Memory Space for Hooks 111
Conclusion 112
5 Runtime Patching 113
Detour Patching 114
Rerouting the Control Flow using MigBot 115
Checking for Function Bytes 117
Keeping Track of the Overwritten Instructions 118
Using NonPagedPool Memory 121
Runtime Address Fixups 121
Jump Templates 125
The Interrupt Hook Example 126
Variations on the Method 133
Conclusion 133
6 Layered Drivers 134
A Keyboard Sniffer 136
I/O Request Packet (IRP) and Stack Locations 137
The KLOG Rootkit: A Walk-Through 140
File Filter Drivers 153 Conclusion 167
7 Direct Kernel Object Manipulation 169
DKOM Benefits and Drawbacks 169
Determining the Version of the Operating System 171
User-Mode Self-Determination 171
Kernel-Mode Self-Determination 173
Querying the Operating System Version in the Registry 174
Communicating with the Device Driver from Userland 175
Hiding with DKOM 179
Process Hiding 180
Device-Driver Hiding 185
Synchronization Issues 189
Token Privilege and Group Elevation with DKOM 193
Modifying a Process Token 194
Faking out the Windows Event Viewer 208
Conclusion 210
8 Hardware Manipulation 213
Why Hardware? 215
Modifying the Firmware 216
Accessing the Hardware 217
Hardware Addresses 217
Accessing Hardware is not Like Accessing RAM 218
Timing Considerations 219
The I/O Bus 219
Accessing the BIOS 221
Accessing PCI and PCMCIA Devices 221
Example: Accessing the Keyboard Controller 222
The 8259 Keyboard Controller 222
Changing the LED Indicators 222
Hard Reboot 229
Keystroke Monitor 229
How Low Can You Go? Microcode Update 236
Conclusion 237
9 Covert Channels 239
Remote Command, Control, and Exfiltration of Data 240
Disguised TCP/IP Protocols 241
Beware of Traffic Patterns 242
Don't Send Data "in the Clear" 242
Use Time to Your Advantage 243
Hide Under DNS Requests 243
"Stego" on ASCII Payloads 244
Use Other TCP/IP Channels 245
Kernel TCP/IP Support for Your Rootkit Using TDI 246
Build the Address Structure 246
Create a Local Address Object 248
Create a TDI Endpoint with Context 252
Associate an Endpoint with a Local Address 254
Connect to a Remote Server (Send the TCP Handshake) 257
Send Data to a Remote Server 259
Raw Network Manipulation 262
Implementing Raw Sockets on Windows XP 262
Binding to an Interface 263
Sniffing with Raw Sockets 264
Promiscuous Sniffing with Raw Sockets 264
Sending Packets with Raw Sockets 265
Forging the Source 266
Bouncing Packets 266
Kernel TCP/IP Support for Your Rootkit Using NDIS 267
Registering the Protocol 267
The Protocol Driver Callbacks 273
Moving Whole Packets 278
Host Emulation 285
Creating Your MAC Address 286
Handling ARP 286
The IP Gateway 289
Sending a Packet 289
Conclusion 293
10 Rootkit Detection 295
Detecting Presence 295
Guarding the Doors 296
Scanning the "Rooms" 298
Looking for Hooks 298
Detecting Behavior 308
Detecting Hidden Files and Registry Keys 308
Detecting Hidden Processes 309
Conclusion 312
Index 315
P.S. We will be releasing VICE 2.0, using advanced detection algorithms, in
conjunction with or shortly after this book.
<Commercial over. Continue with your day.>